Update as of May 23, 2019
The SEC Office of Compliance Inspections and Examinations just released a RISK ALERT announcing that many broker-dealers were not meeting the regulatory requirements related to Regulation S-D and S-ID related to misconfigured Network Storage Solutions. The Alert detailed that many organizations didn't have effective policies and procedures in place to address securing data storage. According to the Wall Street Journal, the SEC sent out information requests to "an unspecified number of investment firms...querying advisers about their security policies and technical aspects of how information is managed and protected at cloud service providers."
Organizations using Apptega and our SEC framework guidance have clarity and the necessary guidance regarding the steps necessary by organizations to meet the SEC requirements.
Original Article from January, 22 2018
Being in the investment advisory business means successfully serving your clients in a changing, complex world. In parallel, as the technology leader or Chief Compliance Officer of your firm, you're focused on cybersecurity. Creating an on-going cybersecurity program that protects your clients, operations and brand is the same overarching goal of the SEC as well. You’ve likely read the April 2014 SEC Alert with guidelines on cybersecurity. As of this writing, Apptega has reviewed dozens of real SEC Examination Request Letters. We’ve also met personally with the SEC to learn more about their goals. It’s no longer a question of what you need to do for cybersecurity but how. Wouldn’t it be great if you could pass an SEC audit in one click? Now you can with cybersecurity management software.
What the SEC Wants
First, let’s recap what the SEC is really looking for. They want to see a real program – an on-going initiative integrated into the culture of your firm with the full participation of senior leadership, clients, and all employees with continued best practices and technology. Performing ad-hoc projects like an annual penetration test, having a generic security policy, and doing employee training once a year to check a couple of boxes is no longer going to cut it – both in managing the risks and in passing an SEC examination. If you haven’t yet had the pleasure of receiving your SEC inquiry letter regarding cybersecurity, it’s 5 pages of requests based on the 28 guidelines. We’ve found that approximately 50% of the SEC’s requested items are to be delivered in advance of the onsite visit, and the other 50% are due when they arrive. The average time you have to pull everything together is only about 10 days.
The Famous 28 Guidelines
The good news is the “28 Questions” in the 2014 cybersecurity alert establishes a roadmap to help secure your firm and meet the SEC’s recommendations. We’ve spent hundreds of hours meeting with registered firms on these guidelines. Breaking it down, there are 6 main categories, 28 guidelines, and 34 individual elements that we’ll call “subcontrols”:
- Governance and Risk Assessment (6 subcontrols)
- Access Rights and Controls (11 subcontrols)
- Data Loss Prevention (3 subcontrols)
- Vendor Management (5 subcontrols)
- Training (2 subcontrols)
- Incident Response (7 subcontrols)
Adding it up, the SEC is recommending 34 specific elements for your security program. This means there are 34 projects/initiatives/implementations you need to organize, build, source, roll-out and manage – not as a few “one and dones” but as an on-going program that never stops. Unfortunately, many firms do not have CISOs (Chief Information Security Officers) or enough IT and compliance staff to organize, manage and satisfy these guidelines fully.
Cybersecurity Management Software for Registered Firms
Cybersecurity program management, which Apptega delivers, will help you pass an SEC audit in one click. Inside Apptega is a framework for SEC registered firms of all sizes called “SEC 28+”. It’s pre-loaded with all of the SEC’s 28 guidelines plus additional items frequently requested in SEC examination inquiry letters. When you select the SEC 28+ framework, Apptega instantly creates a step-by-step roadmap that guides you to complete the 28 guidelines with real-time compliance scoring mapped to the framework, project lifecycle management, task creation and alerts, links to your policies and documents, tools to manage vendors and budgets, and most importantly SEC audit reports in one click. In addition, you have the flexibility to add additional cybersecurity best practices to your program from other frameworks like NIST, CSF, ISO 27001, PCI, NYDFS and GDPR. Need an outside expert to guide you? We'll connect you with an SEC cybersecurity expert to assist you throughout your entire journey, from helping you build your program, create your roadmap, conduct quarterly review sessions, and answer any questions you may have along the way.
Apptega brings together cybersecurity management, one-click reporting, and a network of knowledgeable SEC CISOs in one package. Want to learn more? Click here to schedule a demo to see how other registered firms are automating their cybersecurity programs with Apptega.